SlideShare a Scribd company logo

All Things Open 2022 - State of OSS Security & Support

Javier Perez
Javier Perez

Presentation about the latest trends in open source software including growth, life cycles, government initiatives, support, and security

Software
1 of 27
Download to read offline
Image by Gerd Altmann from Pixabay Image by Gerd Altmann from Pixabay Javier Perez Chief Evangelist & Sr. Director Product Management, OpenLogic by Perforce The State of Open Source Software, Security & Support
Nice To Meet You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez
2.1M + 1,034 packages per day 504K + 157 packages per day 355K + 87 packages per day 410K + 276 packages per day 328K + 150 packages per day 173K + 15 packages per day Source: Oct 28, 2022 www.modulecounts.com
370+ Projects 420+ Projects 850+ Projects 120+ Projects 40+ Projects
Has your organization increased the use of open source software over the last year? Yes Yes, significantly Remain the same Reduced the use of open source 41% 36% 22% 1.6% YES 77%
Open Source Support Open Source in Organizations & Government Open Source Security
Open Source SDLC Trends • Smaller Releases • CI/CD, Testing & Security Scan Automation • Reduced Number of Supported Releases • Reduced Long-Term Support • Challenging to maintain older versions • Backporting patches • Time consuming • Regression testing Constant Updates Shorter LTS
Release Cadence Long-Term Support and End-of-Life • AngularJS EOL • CentOS • Extended Support beyond LTS?
Source: www.php.net/supported-versions.php PHP
Source: https://endoflife.date Node.js
Risks of Ignoring End-of-Life • Unpatched CVEs means an ongoing and compounding risk of exploit • Incompatibility with newer software • No-compliance (internal policy or industry compliance) • Becoming more complex to upgrade or migrate in the future, more support required • Self Support Cost: Development resources away from their jobs, expertise required
Open Source Support Challenges Keeping up with updates & patches Installation upgrades & configuration Personnel experience & proficiency
• Constant releases and apply security patches • End-of-life versions Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability V1.0.0 V1.0.1 V1.0.2 Keeping Up With Updates and Patches Example: OpenSSL releasing 3.0.7 today
Increased Awareness Open Source Security Today • Identify Inventory: Software Bill of Materials (SBOM) • Security Scans: Vulnerability Detection • Apply Fixes: Patches
• Open source libraries reusability • Depending on the Programming Language libraries can have up to 1000’s of dependencies • A real risk for all software when there are vulnerabilities in dependencies Dependencies and Vulnerabilities * Sources: graphcommons.com
Education Open Source Software Security Mobilization Plan Risk Assessment Top 10K OSS Digital Signatures Move to Memory Safe Languages Incident Response Team Coordinated Public Disclosure Code Reviews Top 200 OSS Industry Data Sharing SBOM Everywhere Enhance Package Management
ISO/IEC 5230 Open Chain Standard • Organization Level License Compliance for every OSS artifact • Documented process • SBOM verification • Open source community engagement License Risk
Open Source and US Government White House Executive Order on Improving Cybersecurity - Working Groups H.R. 7667 Medical Device Security Bill – Vulnerability detection and SBOMs directive The Federal Trade Commission (FTC) advise companies to patch Log4J – Legal Action
Open Source and US Government Cybersecurity and Infrastructure Security Agency (CISA) – Binding directive making vulnerability disclosure mandatory National Security Strategy - Aligning with Orgs & OSS US Senate Securing Open Source Software Act – Best practices assessment framework, OSPO, and hire OSS experts
Open Source Maturity in Organizations Desired Position /Efforts Time Consumers Adopting (cost, time, or modernize) Deploying and complying with licenses Participants Limited contributions to open source Increased use & adoption, business-critical Contributor Contributions to open source projects Investment in open source technologies Leader Launching new open projects & initiatives Establishing Open Source Program Office
Maturity in Organizations by the Numbers Retail has the highest OSS Usage at 60% Manufacturing with the Lowest Rate of Experts 30% Banking, Insurance, Financial Services with most Innersources 19% Healthcare and Pharma with the Highest Rate of OSPOs 21% * Sources: 2022 State of Open Source Report
Open Source Jobs Report Source: The Linux Foundation OSS Jobs Report 93% Of Employers with difficulty finding talent with OSS Skills 77% of orgs are growing their use of cloud-native technologies Most on demand skills: Cloud/Container Technology, Linux, DevOps/GitOps, Cybersecurity, AI/ML, Web Technologies 81% of open source professionals plan to add certifications
Key Takeaways § Open source release life cycles, EOL and LTS are constantly changing § Lessons from CentOS and AngularJS EOL § OSS communities work on security, the key is to keep up with updates and patches § There’s more Open Source Security Awareness and Government participation
Has your organization increased the use of open source software over the last year? Yes Yes, significantly 41% 36% YES 77%
Has your organization increased the use of open source software over the last year? Yes Yes, significantly 50% 35% YES 85% Latest Results
www.research.net/r/state-of-oss Participate in the 2023 State of Open Source
Thank You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez

Recommended

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impactRogue Wave Software
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...Paris Open Source Summit
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 

Recommended

Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Open source software: The infrastructure impact
Open source software: The infrastructure impactOpen source software: The infrastructure impact
Open source software: The infrastructure impactRogue Wave Software
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsFrom Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOpsDevOps.com
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...Paris Open Source Summit
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...FaithWestdorp
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyBlack Duck by Synopsys
 
DevOps Challenges and Version Control
DevOps Challenges and Version ControlDevOps Challenges and Version Control
DevOps Challenges and Version ControlPerforce
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Linux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarLinux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarDipayan Sarkar
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
The Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudThe Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudAll Things Open
 
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...DevOps.com
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource
 
Open Source All The Things
Open Source All The ThingsOpen Source All The Things
Open Source All The ThingsAll Things Open
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfJavier Perez
 
Open Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsOpen Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsJavier Perez
 

More Related Content

Similar to All Things Open 2022 - State of OSS Security & Support

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...FaithWestdorp
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyBlack Duck by Synopsys
 
DevOps Challenges and Version Control
DevOps Challenges and Version ControlDevOps Challenges and Version Control
DevOps Challenges and Version ControlPerforce
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Linux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarLinux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarDipayan Sarkar
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
The Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudThe Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudAll Things Open
 
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...DevOps.com
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource
 
Open Source All The Things
Open Source All The ThingsOpen Source All The Things
Open Source All The ThingsAll Things Open
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 

Similar to All Things Open 2022 - State of OSS Security & Support (20)

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 
Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...Elastic's recommendation on keeping services up and running with real-time vi...
Elastic's recommendation on keeping services up and running with real-time vi...
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
 
DevOps Challenges and Version Control
DevOps Challenges and Version ControlDevOps Challenges and Version Control
DevOps Challenges and Version Control
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Linux and the Open Source- D Sarkar
Linux and the Open Source- D SarkarLinux and the Open Source- D Sarkar
Linux and the Open Source- D Sarkar
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
The Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in CloudThe Growing Research that Open Source Owns the Future in Cloud
The Growing Research that Open Source Owns the Future in Cloud
 
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
WhiteSource and FINOS: Empowering Financial Institutions to use Open Source W...
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
 
Open Source All The Things
Open Source All The ThingsOpen Source All The Things
Open Source All The Things
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 

More from Javier Perez

Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfJavier Perez
 
Open Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsOpen Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsJavier Perez
 
Intro to open source - 101 presentation
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentationJavier Perez
 
Open source and AI keynote
Open source and AI keynoteOpen source and AI keynote
Open source and AI keynoteJavier Perez
 
SacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM ZSacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM ZJavier Perez
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareJavier Perez
 
Guide to open source
Guide to open source Guide to open source
Guide to open source Javier Perez
 

More from Javier Perez (7)

Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
 
Open Source North - State of OSS in Organizations
Open Source North - State of OSS in OrganizationsOpen Source North - State of OSS in Organizations
Open Source North - State of OSS in Organizations
 
Intro to open source - 101 presentation
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentation
 
Open source and AI keynote
Open source and AI keynoteOpen source and AI keynote
Open source and AI keynote
 
SacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM ZSacHacks Keynote Open Source Software and IBM Z
SacHacks Keynote Open Source Software and IBM Z
 
All You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source SoftwareAll You need to Know about Secure Coding with Open Source Software
All You need to Know about Secure Coding with Open Source Software
 
Guide to open source
Guide to open source Guide to open source
Guide to open source
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 

Recently uploaded (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 

All Things Open 2022 - State of OSS Security & Support

  • 1. Image by Gerd Altmann from Pixabay Image by Gerd Altmann from Pixabay Javier Perez Chief Evangelist & Sr. Director Product Management, OpenLogic by Perforce The State of Open Source Software, Security & Support
  • 2. Nice To Meet You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez
  • 3. 2.1M + 1,034 packages per day 504K + 157 packages per day 355K + 87 packages per day 410K + 276 packages per day 328K + 150 packages per day 173K + 15 packages per day Source: Oct 28, 2022 www.modulecounts.com
  • 5. Has your organization increased the use of open source software over the last year? Yes Yes, significantly Remain the same Reduced the use of open source 41% 36% 22% 1.6% YES 77%
  • 6. Open Source Support Open Source in Organizations & Government Open Source Security
  • 7. Open Source SDLC Trends • Smaller Releases • CI/CD, Testing & Security Scan Automation • Reduced Number of Supported Releases • Reduced Long-Term Support • Challenging to maintain older versions • Backporting patches • Time consuming • Regression testing Constant Updates Shorter LTS
  • 8. Release Cadence Long-Term Support and End-of-Life • AngularJS EOL • CentOS • Extended Support beyond LTS?
  • 11. Risks of Ignoring End-of-Life • Unpatched CVEs means an ongoing and compounding risk of exploit • Incompatibility with newer software • No-compliance (internal policy or industry compliance) • Becoming more complex to upgrade or migrate in the future, more support required • Self Support Cost: Development resources away from their jobs, expertise required
  • 12. Open Source Support Challenges Keeping up with updates & patches Installation upgrades & configuration Personnel experience & proficiency
  • 13. • Constant releases and apply security patches • End-of-life versions Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability Vulnerability Discovered Vulnerability Fixed Vulnerability V1.0.0 V1.0.1 V1.0.2 Keeping Up With Updates and Patches Example: OpenSSL releasing 3.0.7 today
  • 14. Increased Awareness Open Source Security Today • Identify Inventory: Software Bill of Materials (SBOM) • Security Scans: Vulnerability Detection • Apply Fixes: Patches
  • 15. • Open source libraries reusability • Depending on the Programming Language libraries can have up to 1000’s of dependencies • A real risk for all software when there are vulnerabilities in dependencies Dependencies and Vulnerabilities * Sources: graphcommons.com
  • 16. Education Open Source Software Security Mobilization Plan Risk Assessment Top 10K OSS Digital Signatures Move to Memory Safe Languages Incident Response Team Coordinated Public Disclosure Code Reviews Top 200 OSS Industry Data Sharing SBOM Everywhere Enhance Package Management
  • 17. ISO/IEC 5230 Open Chain Standard • Organization Level License Compliance for every OSS artifact • Documented process • SBOM verification • Open source community engagement License Risk
  • 18. Open Source and US Government White House Executive Order on Improving Cybersecurity - Working Groups H.R. 7667 Medical Device Security Bill – Vulnerability detection and SBOMs directive The Federal Trade Commission (FTC) advise companies to patch Log4J – Legal Action
  • 19. Open Source and US Government Cybersecurity and Infrastructure Security Agency (CISA) – Binding directive making vulnerability disclosure mandatory National Security Strategy - Aligning with Orgs & OSS US Senate Securing Open Source Software Act – Best practices assessment framework, OSPO, and hire OSS experts
  • 20. Open Source Maturity in Organizations Desired Position /Efforts Time Consumers Adopting (cost, time, or modernize) Deploying and complying with licenses Participants Limited contributions to open source Increased use & adoption, business-critical Contributor Contributions to open source projects Investment in open source technologies Leader Launching new open projects & initiatives Establishing Open Source Program Office
  • 21. Maturity in Organizations by the Numbers Retail has the highest OSS Usage at 60% Manufacturing with the Lowest Rate of Experts 30% Banking, Insurance, Financial Services with most Innersources 19% Healthcare and Pharma with the Highest Rate of OSPOs 21% * Sources: 2022 State of Open Source Report
  • 22. Open Source Jobs Report Source: The Linux Foundation OSS Jobs Report 93% Of Employers with difficulty finding talent with OSS Skills 77% of orgs are growing their use of cloud-native technologies Most on demand skills: Cloud/Container Technology, Linux, DevOps/GitOps, Cybersecurity, AI/ML, Web Technologies 81% of open source professionals plan to add certifications
  • 23. Key Takeaways § Open source release life cycles, EOL and LTS are constantly changing § Lessons from CentOS and AngularJS EOL § OSS communities work on security, the key is to keep up with updates and patches § There’s more Open Source Security Awareness and Government participation
  • 24. Has your organization increased the use of open source software over the last year? Yes Yes, significantly 41% 36% YES 77%
  • 25. Has your organization increased the use of open source software over the last year? Yes Yes, significantly 50% 35% YES 85% Latest Results
  • 27. Thank You! Chief Evangelist & Sr. Director Product Management @jperezp_bos javierperez.mozello.com www.linkedin.com/in/javierperez Javier Perez